717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
0s
max time network
130s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/cookie_decrypter.py
Size

1KB
MD5

889e16f92b183541589f8f1d74bda195
SHA1

30a03ff1ae25a359f5ca9c366a5ffb3e2dbe7d55
SHA256

17553f058cea54ab726eaf7bf03b9eebb5ad2637ae2d062203fad39e7af6e35d
SHA512

cfbebe15dc6f23cb0ace115f44dd47171ab8112c41ab8e73b5c938683802bc66de7e840cefea25174497c34081d41ba88661778f6d50b75607a41b04d2d133cd

Score

3^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: Python 1 TTPs 4 IoCs

Execution via Python.

execution

Python

T1059.006

Processes:

python3python3python3python3

pid	Process
1508	python3
1508	python3
1508	python3
1508	python3

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

python3

description	ioc	Process
File opened for reading	/proc/self/fd	python3

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

python3

description	ioc	Process
File opened for modification	/tmp/PoshC2-master/poshc2/__pycache__/__init__.cpython-36.pyc.140322901711984	python3

/tmp/PoshC2-master/cookie_decrypter.py
/tmp/PoshC2-master/cookie_decrypter.py
1⤵
PID:1508

/usr/local/sbin/python3
python3 /tmp/PoshC2-master/cookie_decrypter.py
1⤵
- Command and Scripting Interpreter: Python
PID:1508

/usr/local/bin/python3
python3 /tmp/PoshC2-master/cookie_decrypter.py
1⤵
- Command and Scripting Interpreter: Python
PID:1508

/usr/sbin/python3
python3 /tmp/PoshC2-master/cookie_decrypter.py
1⤵
- Command and Scripting Interpreter: Python
PID:1508

/usr/bin/python3
python3 /tmp/PoshC2-master/cookie_decrypter.py
1⤵
- Command and Scripting Interpreter: Python
- Reads runtime system information
- Writes file to tmp directory
PID:1508
- /usr/local/sbin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509
- /usr/local/bin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509
- /usr/sbin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509
- /usr/bin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509
- /sbin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509
- /bin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509
- /snap/bin/git
  git describe --match "v[0-9]*" "--abbrev=0" --tags HEAD
  2⤵
  PID:1509

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Python

T1059.006

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/PoshC2-master/poshc2/__pycache__/__init__.cpython-36.pyc.140322901711984

Filesize
1KB

MD5
8b74b8fad79ed55d96b56d8940c81e7a

SHA1
b58d14ee309e6b59b702cf2251812df66acba5ca

SHA256
3abbcbfde0fe6aba5f9f74f2f4864aa156df62d12359d92f290916b64695fa0b

SHA512
2f4facd3750190eeb1182181064867e9d27f91f2faaeb93d09b7c808b2a1762fd733cc85eabb5819ce95d4b3a68c66d50dc7acd73219267ee1995b7d17ee2030

Download Submit